Terms of Use

Data Security Standards

APPENDIX 1

SECURITY STANDARDS

Ikigai Labs will take the security measures set forth in this Appendix.

1. Physical Control Access/Physical Security. Ikigai Labs will take industry standard steps designed to prevent unauthorized persons from gaining access to Personal Data processing systems by maintaining industry standard physical security controls at all Ikigai Labs sites at which an information system that uses or houses Personal Data is located.

2. Logical/Data Access Control. Ikigai Labs will maintain appropriate access controls designed to prevent Personal Data processing systems from being used without proper authorization, including:

• restricting access to Personal Data to only authorized Ikigai Labs personnel who require such access in order to perform the Services and providing the lowest level of access required in accordance with the “least privilege” approach and to the minimum number; and
• restricting access to Personal Data to only authorized Ikigai Labs personnel who require such access in order to perform the Services and providing the lowest level of access required in accordance with the “least privilege” approach and to the minimum number; and

Further, Ikigai Labs will:

3. Data Transfer Control/Network Security. Ikigai Labs will ensure that: (i) Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control). Suppler will maintain network security using industry standard equipment and industry standard techniques, including firewalls, intrusion detection and prevention systems, and routing protocols; (ii) it utilizes industry standard anti-virus and malware protection software to protect Personal Data from anticipated threats or hazards and protect against unauthorized access to or use; and (iii) it utilizes industry-standard encryption tools (not less than 128-bit key utilizing an encryption method approved by Customer) and other secure technologies in connection with any and all Personal Data that Ikigai Labs: (A) transmits or sends wirelessly or across public networks; (B) stores on laptops or storage media; or (C) stores on portable devices, where technically feasible (including safeguarding the security and confidentiality of all encryption keys associated with encrypted Sensitive Personal Data).

4. Availability Control/Separation Control. Ikigai Labs will implement appropriate policies and procedures to ensure that: (i) it Processes Personal Data in accordance with Customer’s instructions; (ii) it Processes separately Personal Data collected for different purposes; and (iii) Personal Data is protected against accidental destruction or loss.

5. Organizational Security. Ikigai Labs will maintain security policies and procedures to classify sensitive or confidential information, clarify security responsibilities and promote awareness for employees by, among other things: (i) maintaining adequate procedures regarding the use, archiving, or disposal of media containing Personal Data; and (ii) managing Security Incidents in accordance with appropriate incident response procedures. In addition:

a. Prior to providing access to Personal Data to Ikigai Labs personnel, Ikigai Labs will require Ikigai Labs personnel to comply with its Information Security Program.

b. Ikigai Labs will maintain a security awareness program to train personnel about their security obligations. This program will include training about data classification obligations, physical security controls, security practices, and security incident reporting.

c. Ikigai Labs will maintain procedures such that (i) when media are to be disposed of or reused, any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory will be prevented; and (ii) when media are to leave the premises at which the files are located as a result of maintenance operations, any undue retrieval of Personal Information stored on them will be prevented.

6. Business Continuity. Ikigai Labs will maintain appropriate back-up, disaster recovery and business resumption plans, business continuity plan and risk assessment, and review and test these plans regularly to ensure that they are up to date and effective. Ikigai Labs will maintain procedures for reconstructing lost Personal Data in Ikigai Labs’ possession or under Ikigai Labs’ control, and correct, at Customer’s request, any destruction, loss or alteration of any of Personal Data caused by Ikigai Labs, or arising out of Ikigai Labs’ breach of this Data Processing Addendum.

7. Security Manager. Ikigai Labs will designate an employee who will be responsible for managing and coordinating the performance of Ikigai Labs’ obligations set forth in its Information Security Program and in this Exhibit.

8. Risk Assessments. Ikigai Labs will conduct periodic risk assessments and reviews and, as appropriate, update its Information Security Program; provided that Ikigai Labs will not modify its Information Security Program in a manner that would weaken or compromise the confidentiality, availability or integrity of Personal Data.

Data Processing

This Data Processing Addendum (“Data Processing Addendum”) is incorporated into and subject to the provisions of the Master Services Agreement entered into by Customer and Ikigai Labs (the “Agreement”). Capitalized words and phrases have the meaning specified in the Agreement. During the course of providing Services, Ikigai Labs may obtain, access or otherwise Process Personal Data. Ikigai Labs agrees to protect all Personal Data as detailed in this Exhibit D.

1. Definitions

a. “Applicable Privacy Laws” means all applicable privacy, information security, data protection, and data breach notification laws and regulations.

b. “Information Security Program” means a comprehensive written information security program which complies with Applicable Privacy Laws, and contains appropriate administrative, technical, and physical safeguards to protect Personal Data against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage or any other unauthorized form of Processing).

c. “Personal Data” means any information in any form, format or media (including paper, electronic and other records), that identifies an individual or relates to an identifiable individual that (i) is provided by or on behalf of Customer (or its employees, contractors or agents), (ii) Ikigai Labs provided to or obtained for Customer or (iii) Ikigai Labs Processes, in each case, in connection with the Cloud Services.

d. “Process” or “Processing” or “Processed” means the collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, restriction, adaptation, retrieval, consultation, destruction, disposal or other use of Personal Data.

e. “Security Incident” means any accidental or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of or damage to Personal Data, or any other unauthorized Processing of Personal Data.

f. “Sensitive Personal Data” means any of the following types of Personal Data: (i) social security number, taxpayer identification number, passport number, driver’s license number or other government-issued identification number; (ii) payment card (including credit or debit card) details or financial account number, with or without any code or password that would permit access to the account or credit history; or (iii) information on race, religion, ethnicity, sex life or practices or sexual orientation, medical or health information, genetic or biometric information, biometric templates, political or philosophical beliefs, political party or trade union membership, background check information or judicial data such as criminal records or information on other judicial or administrative proceedings.

2. Data Processing and Protection

a. Compliance with Applicable Privacy Laws. Ikigai Labs will comply with Applicable Privacy Laws relating to Ikigai Labs’ performance under this Data Processing Addendum and each applicable Order Form.

b. Limitations on Use. Ikigai Labs will Process Personal Data only on Customer’s behalf to deliver Cloud Services in accordance with this Data Processing Addendum or Customer’s other documented instructions, whether in written or electronic form, such as an applicable Order Form. The duration of the Processing will be the same as the duration the applicable Order Form.

c. Information Security Program. Ikigai Labs will implement, maintain, monitor and, where necessary, update an Information Security Program that will include the measures listed in the Security Standards attached hereto as Appendix 1.

d. Data Integrity. Ikigai Labs will ensure that all Personal Data created or maintained by Ikigai Labs on Customer’s behalf is accurate and, where appropriate, kept up to date, and will erase or rectify inaccurate or incomplete Personal Data in accordance with Customer’s instructions.

e. Cross-Border Transfers. Ikigai Labs will ensure that Personal Data is not physically transferred to, accessed by or otherwise processed by its Ikigai Labs personnel in any country other than those specified in the applicable Order Form, if specified, unless Customer agrees in writing. If applicable, at Customer’s request, Ikigai Labs (and if relevant, Ikigai Labs’ affiliates or subcontractors) will enter into an appropriate data processing agreement that incorporates the European Commission Standard Contractual Clauses between Controllers and Processors, or any similar agreement relating to other countries, with Customer to allow Customer’s international offices to transfer Personal Data to Ikigai Labs or such affiliates and/or subcontractors.

f. Subcontracting. Notwithstanding, and expressly in limitation of, anything to the contrary in the Agreement, Ikigai Labs will not disclose or transfer Personal Data to, or allow access to Personal Data by, (each, a “Disclosure”) any third party without Customer’s express prior written consent; provided, however, that Ikigai Labs may Disclose Personal Data to its affiliates and subcontractors for purposes of providing the Cloud Services to Customer, subject to the following conditions: (i) Ikigai Labs will maintain a list of the affiliates and subcontractors to which it makes such Disclosures and will provide this list to Customer upon Customer’s request; (ii) Ikigai Labs will provide Customer at least 30 days’ prior notice of the addition of any affiliate or subcontractor to this list and the opportunity to object to such addition(s); and (iii) if Customer makes such an objection on reasonable grounds and Ikigai Labs is unable to modify the Cloud Services to prevent Disclosure of Personal Data to the additional affiliate or subcontractor, Customer will have the right to terminate the relevant Processing. Ikigai Labs will, prior to any Disclosure, ensure that such third party is bound by contractual obligations that are at least as restrictive as this Exhibit. Ikigai Labs shall remain fully responsible to Customer for the proper and complete discharge of all the subcontracted obligations.

g. Requests or Complaints from Individuals. Ikigai Labs will notify Customer in writing, without undue delay, unless specifically prohibited by laws applicable to Ikigai Labs, if Ikigai Labs receives: (i) any requests from an individual with respect to Personal Data Processed by or on behalf of Ikigai Labs, such as opt-out requests, requests for access and/or rectification, erasure, restriction, requests for data portability, and all similar requests; or (ii) any complaint relating to the Processing of Personal Data, including allegations that the Processing infringes on an individual’s rights. Ikigai Labs (i) will not respond to any such request or complaint unless expressly authorized to do so by Customer; (ii) will cooperate with Customer with respect to any action taken relating to such request or complaint, whether received by Ikigai Labs or Customer; and (iii) will implement appropriate processes (including technical and organizational measures) to assist Customer in responding to requests or complaints from individuals.

h. Audit. Upon reasonable notice to Ikigai Labs during normal business hours, in a manner to minimize impact on Ikigai Labs’ business operations and in observance of Ikigai Labs’ obligations of client confidentiality, Ikigai Labs will provide to Customer, its authorized representatives, and such independent inspection body as Customer may appoint, for the purpose of auditing Ikigai Labs’ compliance with its obligations under this Exhibit: (i) access to Ikigai Labs’ information, processing premises, and records; (ii) reasonable assistance and cooperation of Ikigai Labs personnel; and (iii) reasonable facilities at Ikigai Labs’ premises.

i. Regulatory Investigations. Upon request by Customer, Ikigai Labs will assist and support Customer in the event of an investigation by any regulator or authority, including a data protection authority, if and to the extent that such investigation relates to Personal Data Processed by Ikigai Labs on Customer’s behalf in accordance with this Exhibit D.
‍
j. Security Incident. Ikigai Labs will notify Customer in writing without undue delay whenever Ikigai Labs reasonably believes a Security Incident has occurred. After providing notice, Ikigai Labs will investigate the Security Incident, take all necessary steps to eliminate or contain the exposure of the Personal Data, and keep Customer informed of the status of the Security Incident and all related matters. Ikigai Labs further agrees to provide reasonable assistance and cooperation requested by Customer and/or Customer’s designated representatives, in the furtherance of any correction, remediation or investigation of any Security Incident and the mitigation of any potential damage, including any notification that Customer may determine appropriate to send to affected individuals, regulators or third parties, and/or the provision of any credit reporting service that Customer deems appropriate to provide to affected individuals. Unless required by law applicable to Ikigai Labs, Ikigai Labs will not notify any individual or any third party other than law enforcement of any potential Security Incident involving Personal Data in any manner that would identify, or is reasonably likely to identify or reveal the identity of, Customer, without first obtaining written permission of Customer.

k. Return or Disposal of Personal Data. Upon termination or expiration of its obligations under this Data Processing Addendum or upon request of Customer, whichever comes first, Ikigai Labs shall (i) cease all Processing of and return to Customer or, at the written request of Customer, securely dispose of or securely destroy all Personal Data in the custody and control of the Ikigai Labs (or agents or subcontractors, as applicable), in each case using appropriate physical, administrative and technical safeguards to protect such Personal Data against loss, theft and unauthorized access, disclosure, copying, use, or modification; and (ii) certify to Customer, in writing, that Ikigai Labs has complied with its obligations under this Section.

l. Assistance. Ikigai Labs will provide appropriate information and assistance requested by Customer to demonstrate Ikigai Labs’ compliance with its obligations under this Exhibit and assist Customer in meeting its obligations under Applicable Privacy Laws regarding: (i) registration and notification; (ii) ensuring the security of the Personal Data; and (iii) carrying out privacy and data protection impact assessments and related consultations with data protection authorities. In addition, when Ikigai Labs is responding to Customer’s requests, Ikigai Labs will inform Customer if Ikigai Labs believes that any Customer instructions regarding the Processing of Personal Data would violate Applicable Privacy Laws.